Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter Twelve Implementing Terminal Services and Remote Access PowerPoint Presentation
Download Presentation
Chapter Twelve Implementing Terminal Services and Remote Access

Chapter Twelve Implementing Terminal Services and Remote Access

121 Vues Download Presentation
Télécharger la présentation

Chapter Twelve Implementing Terminal Services and Remote Access

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. 70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal Services and Remote Access

  2. Objectives • Install and configure Terminal Services • Describe remote access features and protocols • Configure security features for remote access Guide to MCSE 70-270, 70-290

  3. Implementing Terminal Services • Terminal Services: Provides remote access to a server desktop • Through “thin client” software • Transmits only program’s user interface to client • Centralized control of applications • Remote Desktop for Administration: Enables administrators to connect to a server for administrative purposes • Disabled by default Guide to MCSE 70-270, 70-290

  4. Enabling Remote Desktop for Administration • Only need to change a single setting in System Properties dialog box • By default, Administrators group members can connect via Remote Desktop for Administration • Can grant other users access • Activity 12-1: Enabling and Testing Remote Desktop for Administration • Objective: Enable and test Remote Desktop for Administration Guide to MCSE 70-270, 70-290

  5. Enabling Remote Desktop for Administration (continued) Figure 12-1: The Remote tab of the System Properties dialog box Guide to MCSE 70-270, 70-290

  6. Enabling Remote Desktop for Administration (continued) Figure 12-2: Entering a user name, password, and domain name for Remote Desktop Connection Guide to MCSE 70-270, 70-290

  7. Implementing Terminal Services Table 12-1: Benefits of Terminal Services Guide to MCSE 70-270, 70-290

  8. Implementing Terminal Services (continued) • Terminal Services has 2 major components: • Terminal server: Computer on which Terminal Services installed • Enables users to remotely run Windows applications • License server: Computer on which Terminal Services Licensing service installed • Stores client access license (CAL) tokens for group of terminal servers • Tracks license tokens that have been issued • Implementing Terminal Services Licensing consists of installation and activation Guide to MCSE 70-270, 70-290

  9. Implementing Terminal Services (continued) • Installing Terminal Services on a Terminal Server: Installed from Control Panel’s Add or Remove Programs applet • Activity 12-2: Installing Terminal Services • Objective: Install Windows Server 2003 Terminal Services • Licensing Service Installation: Must be at least one license server on network for Terminal Services to obtain license information • Installing terminal server and Licensing service on same computer is acceptable, but possibly costly Guide to MCSE 70-270, 70-290

  10. Implementing Terminal Services (continued) Figure 12-4: The Terminal Services Licensing model Guide to MCSE 70-270, 70-290

  11. Implementing Terminal Services (continued) • Licensing Service Installation (continued): • Microsoft maintains Microsoft Certificate Authority and Licensing Clearinghouse to activate license servers and issue client license key packs • License servers support many types of licenses • Terminal Server Device Client Access Licenses • Terminal Server User Client Access Licenses • Can be installed on workgroup-based server, member server, or domain controller • Choice determines how and when terminal servers find a license server Guide to MCSE 70-270, 70-290

  12. Implementing Terminal Services (continued) • Licensing Service Activation: Use Activation Wizard in Terminal Services Licensing tool • Three connection methods: • Automatic connection (recommended) • Web Browser • Telephone • When license server activated, Microsoft supplies limited-use digital certificate to validate server ownership and identity • X.509 industry-standard certificate Guide to MCSE 70-270, 70-290

  13. Configuring and Managing Terminal Services • Three tools for Terminal Services administration: • Terminal Services Manager: Monitors and controls client access to terminal servers • Terminal Services Configuration: Configures terminal server settings and connections • Terminal Services Licensing: Stores and tracks Terminal Services client access licenses • Configuring Remote Connection Settings: Configure security and connection-related settings with Terminal Services Configuration tool Guide to MCSE 70-270, 70-290

  14. Configuring and Managing Terminal Services (continued) Figure 12-6: The Terminal Services Configuration window Guide to MCSE 70-270, 70-290

  15. Configuring and Managing Terminal Services (continued) • Each network interface in Terminal Services server can be configured with only one Remote Desktop Protocol (RDP) connection • Most important settings to be checked when configuring a Terminal Services connection are encryption and authentication • Available encryption options include: • Low • Client Compatible • High • FIPS Compliant Guide to MCSE 70-270, 70-290

  16. Configuring and Managing Terminal Services (continued) Table 12-3: Property settings for a Terminal Services connection Guide to MCSE 70-270, 70-290

  17. Configuring and Managing Terminal Services (continued) • Activity 12-3: Exploring Terminal Services Settings • Objective: Explore Terminal Services settings • Using Terminal Services Manager: View and manage terminal servers in Active Directory forest • Monitor users, sessions, and applications • Carry out administrative tasks • Three tabs in Terminal Services Manager Window: • Users, Sessions, and Processes Guide to MCSE 70-270, 70-290

  18. Configuring and Managing Terminal Services (continued) • Using Terminal Services Manager (continued): • Users tab: Name, connection time, state of user connection • Sessions tab: Displays user session information • Processes tab: Information about applications running in user’s session • Session types: • User • Consol • Listener • Idle Guide to MCSE 70-270, 70-290

  19. Configuring and Managing Terminal Services (continued) Table 12-4: Terminal Services Manager actions Guide to MCSE 70-270, 70-290

  20. Configuring and Managing Terminal Services (continued) Table 12-4 (continued): Terminal Services Manager actions Guide to MCSE 70-270, 70-290

  21. Terminal Services Client Software • After Terminal Services installed, client software packages automatically added to %systemroot%\System32\Clients\Tsclient\Win32 • Contains files for installing RDCsoftware • Client software provided as both MSI file and Win32 executable • Recommended installation method is to share %systemroot%\System32\Clients\Tsclient\Win32 folder • Initiate installation over network manually or via group policies for software deployment Guide to MCSE 70-270, 70-290

  22. Installing Applications • Applications must be installed in compatible mode for multiple users to access them simultaneously • Might need to reinstall some applications • On terminal server, software applications should be installed only in install mode Guide to MCSE 70-270, 70-290

  23. Configuring Terminal Services User Properties • Terminal Services adds four tabs to Properties dialog boxes of user accounts: • Terminal Services Profile: Enable user as Terminal Services client • Remote control: Configure remote control properties for user account • Sessions: Set max session time and disconnect options • Environment: Configure programs to run automatically when user connects Guide to MCSE 70-270, 70-290

  24. Troubleshooting Terminal Services • Tips/Guidelines for troubleshooting: • If user unable to log on, ensure client software settings correct and Allow logon to terminal server option set • If connection refused, ensure client meets server’s RDP encryption requirements • If all users unable to log on, ensure connection enabled • Each network interface can be configured with only one RDP connection to the network Guide to MCSE 70-270, 70-290

  25. Troubleshooting Terminal Services (continued) • Tips/Guidelines for troubleshooting (continued): • If several users require sessions on RDP connection, might need to increase number of sessions available • If applications don’t run, might need to relax application security settings • Must have administrative rights on terminal server to manage and troubleshoot Terminal Services Guide to MCSE 70-270, 70-290

  26. Implementing Remote Access • Remote access: Connecting to another computer or network using a public carrier • Useful when used with Terminal Services • Accomplished in two ways: • Direct dial-up • Virtual private network (VPN) over Internet Guide to MCSE 70-270, 70-290

  27. Dial-up Remote Access • Computers connect and transfer information using modems and a phone line • When connection created between dial-up client and server, modems act like NICs • Allowing client to access resources on network • Easy availability • Example: Accessing Internet by dialing into an ISP • IP Address Management: When clients connect to Windows Server 2003 remote access server, assigned an IP address • DHCP or static pool of IP addresses Guide to MCSE 70-270, 70-290

  28. Dial-up Remote Access (continued) Figure 12-16: Using DHCP for the IP address configuration of a remote access client Guide to MCSE 70-270, 70-290

  29. Dial-up Remote Access (continued) • Enabling and Configuring a Dial-up Server: Use Routing and Remote Access Service (RRAS) to enable and configure dial-up servers and clients • Must enable RRAS • Must configure Telephony Application Programming Interface (TAPI) • Must ensure modem(s) installed and properly configured • Enable RRAS for dial-up connections • Using the Routing and Remote Access snap-in in Windows Server 2003 Guide to MCSE 70-270, 70-290

  30. Dial-up Remote Access (continued) • Activity 12-4: Installing a Modem • Objective: Perform the steps necessary to install a modem on a Windows Server 2003 or XP system • Activity 12-5: Enabling RRAS as a Dial-up Server • Objective: Configure RRAS on your server to act as a dial-up server • Dial-up Security: User name and password are basis for remote access security • Only designated users allowed to connect Guide to MCSE 70-270, 70-290

  31. Dial-up Remote Access (continued) Figure 12-20: Dial-up security options Guide to MCSE 70-270, 70-290

  32. Dial-up Remote Access (continued) • Dial-up Protocols: Dial-up connections require different protocols than LAN connections • Serial Line Internet Protocol (SLIP): Rarely used • Point-to-Point Protocol (PPP): Used by default • Can automatically configure clients with IP address information • Can support multiple LAN protocols • Can provide for scripting logon processes • PPP Multilink Protocol (PPP-MP): Enables combination of multiple remote access links into one logical connection Guide to MCSE 70-270, 70-290

  33. Dial-up Remote Access (continued) • Dial-up Protocols (continued): • Both LAN and dial-up network protocols need to be considered when configuring Windows Server 2003 as a remote access server • Activity 12-6: Creating a Dial-up Connection • Objective: Configure your client to make a dial-up connection to an RRAS server Guide to MCSE 70-270, 70-290

  34. VPN Remote Access • Virtual private network (VPN): Creates private connection between two entities across Internet • Advantages over dial-up: • Ease of setup • Speed • Encryption • Requires protocol to create secure “tunnel” for delivering TCP/IP packets across Internet • Point-to-Point Tunneling Protocol (PPTP) • Layer Two Tunneling Protocol (L2TP) Guide to MCSE 70-270, 70-290

  35. VPN Remote Access (continued) Figure 12-22: Initiating a VPN connection across the Internet Guide to MCSE 70-270, 70-290

  36. VPN Remote Access (continued) • PPTP: Uses Microsoft Point-to-Point Encryption (MPPE) • Easy to configure • Works across NAT routers • Does not authenticate • L2TP: More secure than PPTP • Harder to configure • Works in conjunction with IPSec • Performs authentication • Limited support for traversing NAT routers Guide to MCSE 70-270, 70-290

  37. VPN Remote Access (continued) • IP Security (IPSec): Negotiates secure encrypted communications link between client and server • Through public and private encryption keys • Two modes: • Transport: Links between any two systems on network • Tunneling: Only links between two specific systems • IPSec policies govern how system communicates through TCP/IP • Three sample IPSec policies given by Windows XP: • Client (Respond Only), Server (Request Security), and Secure Server (Require Security) Guide to MCSE 70-270, 70-290

  38. VPN Remote Access (continued) • IP Security (continued): • Supports three types of authentication methods: • Kerberos version 5 (default and preferred) • Public key certificate • Preshared key (least secure) • Configuring a VPN Remote Access Server: Remote access server automatically configured for five PPTP ports and five L2TP ports • Activity 12-7: Configuring a Remote Access Server • Objective: Configure remote access server settings Guide to MCSE 70-270, 70-290

  39. VPN Remote Access (continued) Figure 12-23: Default VPN ports Guide to MCSE 70-270, 70-290

  40. VPN Remote Access (continued) Table 12-5: RRAS authentication methods Guide to MCSE 70-270, 70-290

  41. Remote Access Security • Allowing Remote Access to Windows XP: Via dial-in or VPN connection • User’s name must be added to Remote Desktop Users list • Remote Access Policies: Stored on each remote access server • Policies applied to users can vary depending on server to which user connects • Activity 12-8: Creating a Remote Access Policy • Objective: Create a new remote access policy on your remote access server Guide to MCSE 70-270, 70-290

  42. Remote Access Security (continued) • Activity 12-9: Creating a Client VPN Connection • Objective: Create a client VPN connection and then test it • Windows XP Internet Connection Firewall (ICF): Protect network connections from unwanted traffic • Stateful firewall • Configured by default to block most incoming traffic • Can configure to allow specific types of traffic without internal request Guide to MCSE 70-270, 70-290

  43. Remote Access Security (continued) Figure 12-32: The Services tab of the Advanced Settings dialog box Guide to MCSE 70-270, 70-290

  44. Remote Access Security (continued) • ICF (continued): • Can log dropped traffic • Activity 12-10: Configuring ICF • Objective: Configure a dial-up network connection (Internet) as a firewall Guide to MCSE 70-270, 70-290

  45. Sharing Internet Connections • Internet Proxy Service: Proxy server acts as intermediary between internal network and Internet • Windows XP Internet Connection Sharing (ICS): Used to share a single network connection with small group of networked computers • Computer essentially becomes a limited DHCP server • Activity 12-11: Configuring ICS • Objective: Configure Windows XP Professional to share an Internet connection with other computers on a network Guide to MCSE 70-270, 70-290

  46. Sharing Internet Connections (continued) Figure 12-36: Using a proxy server Guide to MCSE 70-270, 70-290

  47. Sharing Internet Connections (continued) • Configuring ICS: • On-demand dialing • Define internal services accessible to external users • By default, allows access to L2TP,PPTP, and IKE (IPSec) resources • Can enable access to other resources • Do not use on networks with domain controllers, DNS servers, gateway systems, DHCP servers, or with clients that must have static IP addresses Guide to MCSE 70-270, 70-290

  48. Sharing Internet Connections (continued) • Configuring ICS (continued): • ICS Troubleshooting Tasks: • Verify connection is active and functioning • Verify communication from other clients can access your system over the network • Make sure computer hosting ICS has IP address of 192.168.1.1 with mask of 255.255.255.0 • Ensure ICS client computers set to automatically obtain IP address information Guide to MCSE 70-270, 70-290

  49. Windows Server 2003 Network Address Translation (NAT) Figure 12-38: NAT routing Guide to MCSE 70-270, 70-290

  50. Summary • Terminal Services is a Windows Server 2003 feature that allows users to connect to and run applications on a Windows Server 2003 system from their desktops as though they were sitting at the server console • Remote Desktop for Administration is a Windows Server 2003 feature that allows an administrator to connect to servers remotely for administrative purposes • Terminal Services requires that the Licensing service be installed and activated Guide to MCSE 70-270, 70-290